From 4ca782bfdae5951da43cca3c017a19a3f8e69ee3 Mon Sep 17 00:00:00 2001 From: Jagadisha V Date: Tue, 19 Aug 2025 11:54:22 +0530 Subject: [PATCH 1/5] Vectra app doc --- blog-service/2025-08-21-apps.md | 12 + cid-redirects.json | 1 + .../product-list/product-list-m-z.md | 2 +- docs/integrations/saas-cloud/index.md | 6 + docs/integrations/saas-cloud/vectra.md | 222 ++++++++++++++++++ sidebars.ts | 1 + 6 files changed, 243 insertions(+), 1 deletion(-) create mode 100644 blog-service/2025-08-21-apps.md create mode 100644 docs/integrations/saas-cloud/vectra.md diff --git a/blog-service/2025-08-21-apps.md b/blog-service/2025-08-21-apps.md new file mode 100644 index 0000000000..f1b712ab32 --- /dev/null +++ b/blog-service/2025-08-21-apps.md @@ -0,0 +1,12 @@ +--- +title: Vectra(Apps) +image: https://help.sumologic.com/img/reuse/rss-image.jpg +keywords: + - apps + - vectra +hide_table_of_contents: true +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +We're excited to introduce the new Vectra app for Sumo Logic. This app leverages the Sumo Logic Cloud-to-Cloud [Vectra source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/vectra-source/) to collect the detections from the Netskope WebTx platform. It provides security analysts with visibility into security threats detected across networks, cloud environments, and endpoints. [Learn more](/docs/integrations/saas-cloud/vectra/). \ No newline at end of file diff --git a/cid-redirects.json b/cid-redirects.json index 0a25966d48..94de56132b 100644 --- a/cid-redirects.json +++ b/cid-redirects.json @@ -1644,6 +1644,7 @@ "/cid/10211": "/docs/integrations/saas-cloud/microsoft-azure-ad-inventory", "/cid/10203": "/docs/integrations/saas-cloud/microsoft-graph-security-v1", "/cid/10205": "/docs/integrations/saas-cloud/microsoft-graph-security-v2", + "/cid/10212": "/docs/integrations/saas-cloud/vectra", "/cid/10206": "/docs/integrations", "/cid/10204": "/docs/integrations/saas-cloud/cato-networks", "/cid/10198": "/docs/integrations/saas-cloud/microsoft-graph-azure-ad-reporting", diff --git a/docs/integrations/product-list/product-list-m-z.md b/docs/integrations/product-list/product-list-m-z.md index adcea33991..8383a746a7 100644 --- a/docs/integrations/product-list/product-list-m-z.md +++ b/docs/integrations/product-list/product-list-m-z.md @@ -205,7 +205,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [ | :-- | :-- | :-- | | Thumbnail icon | [Varnish](https://www.varnish-software.com/) | Apps:
- [Varnish](/docs/integrations/web-servers/varnish/)
- [Varnish - OpenTelemetry](/docs/integrations/web-servers/opentelemetry/varnish-opentelemetry/) | | Thumbnail icon | [Varonis](https://www.varonis.com/) | Cloud SIEM integration: [Varonis](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/20270f89-127e-4055-96ec-56045e67e163.md) | -| Thumbnail icon | [Vectra](https://www.vectra.ai/) | Automation integration: [Vectra](/docs/platform-services/automation-service/app-central/integrations/vectra/)
Collector: [Vectra Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/vectra-source)
Cloud SIEM integration: [Vectra](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/7a3d1a5c-ba67-4597-971f-7057e8f6c8bb.md) | +| Thumbnail icon | [Vectra](https://www.vectra.ai/) | App: [Vectra](/docs/integrations/saas-cloud/vectra)
Automation integration: [Vectra](/docs/platform-services/automation-service/app-central/integrations/vectra/)
Collector: [Vectra Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/vectra-source)
Cloud SIEM integration: [Vectra](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/7a3d1a5c-ba67-4597-971f-7057e8f6c8bb.md) | | Thumbnail icon | [VirusTotal](https://www.virustotal.com/) | Automation integrations:
- [VirusTotal](/docs/platform-services/automation-service/app-central/integrations/virustotal/)
- [VirusTotal V3](/docs/platform-services/automation-service/app-central/integrations/virustotal-v3/) | | Thumbnail icon | [VMRay](https://www.vmray.com/) | Automation integration: [VMRay](/docs/platform-services/automation-service/app-central/integrations/vmray/) | | Thumbnail icon | [VMware](https://www.vmware.com/) | Apps:
- [Carbon Black Cloud](/docs/integrations/security-threat-detection/carbon-black-cloud/)
- [VMware](/docs/integrations/containers-orchestration/vmware/)
- [VMware Legacy](/docs/integrations/containers-orchestration/vmware-legacy/)
- [VMware Carbon Black](/docs/integrations/security-threat-detection/vmware-carbon-black/)
- [VMWare - OpenTelemetry Collector](/docs/integrations/containers-orchestration/opentelemetry/vmware-opentelemetry/)
- [VMware Workspace ONE](/docs/integrations/saas-cloud/vmware-workspace-one/)
Automation integrations:
- [Lastline Analyst](/docs/platform-services/automation-service/app-central/integrations/lastline-analyst/)
- [VMware Carbon Black Cloud Endpoint Standard](/docs/platform-services/automation-service/app-central/integrations/vmware-carbon-black-cloud-endpoint-standard/)
- [VMware Carbon Black Cloud Endpoint Standard V2](/docs/platform-services/automation-service/app-central/integrations/vmware-carbon-black-cloud-endpoint-standard-v2/)
- [VMware Carbon Black Cloud Enterprise EDR](/docs/platform-services/automation-service/app-central/integrations/vmware-carbon-black-cloud-enterprise-edr/)
- [VMware Carbon Black Cloud Platform](/docs/platform-services/automation-service/app-central/integrations/vmware-carbon-black-cloud-platform/)
- [VMware vSphere](/docs/platform-services/automation-service/app-central/integrations/vmware-vsphere/)
- [VMware Workspace ONE](/docs/platform-services/automation-service/app-central/integrations/vmware-workspace-one/)
Cloud SIEM integrations:
- [Carbon Black](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/c2ea2e5e-92f2-49e8-9812-64e60dba63a2.md)
- [VMware](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/fbf25b91-89f1-45c4-903d-664b328bc6e0.md)
Collectors:
- [Carbon Black Cloud Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/carbon-black-cloud-source/)
- [Carbon Black Inventory Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/carbon-black-inventory-source/)
- [Collect Metrics from VMware vRealize Operations Manager 8 Enterprise](/docs/send-data/collect-from-other-data-sources/collect-metrics-vrealize-operations-manager/)
- [VMware AirWatch Integration for Sumo Logic](/docs/send-data/collect-from-other-data-sources/vmware-airwatch-integration/)
- [VMware vRealize Log Insight](/docs/send-data/collect-from-other-data-sources/vmware-vrealize-log-insight/)
- [VMware Workspace One Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/vmware-workspace-one-source/)
Partner integration: [VMware Tanzu](https://docs.vmware.com/en/Sumo-Logic-Nozzle-for-VMware-Tanzu/services/sumologic-nozzle-vmware-tanzu/index.html) | diff --git a/docs/integrations/saas-cloud/index.md b/docs/integrations/saas-cloud/index.md index f3b54980f1..183de6beb7 100644 --- a/docs/integrations/saas-cloud/index.md +++ b/docs/integrations/saas-cloud/index.md @@ -417,6 +417,12 @@ Learn about the Sumo Logic apps for SaaS and Cloud applications.

Analyze authentication events, user activities, and potential security threats.

+
+
+ icon

Vectra

 +

Gain visibility into security threats detected across networks, cloud environments, and endpoints.

+
+
icon

VMware Workspace ONE

 diff --git a/docs/integrations/saas-cloud/vectra.md b/docs/integrations/saas-cloud/vectra.md new file mode 100644 index 0000000000..2471eb8d9a --- /dev/null +++ b/docs/integrations/saas-cloud/vectra.md @@ -0,0 +1,222 @@ +--- +id: vectra +title: Vectra +sidebar_label: Vectra +description: The Vectra app for Sumo Logic provides security analysts with visibility into security threats detected across networks, cloud environments, and endpoints. +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +Vectra-icon + +The Vectra app offers comprehensive visibility into security threats detected across networks, cloud environments, and endpoints. It consolidates threat intelligence from multiple sources, categorizing detections by their severity, type, and behavior, while providing detailed contextual data to accelerate investigations. With interactive dashboards and targeted monitoring tools, security teams can track trends, pinpoint high-risk activities, and measure remediation effectiveness. By combining threat scoring, detection timelines, and enriched metadata, the app empowers proactive threat hunting, rapid incident response, and continuous improvement of security posture. + +:::info +This app includes [built-in monitors](#vectra-alerts). For details on creating custom monitors, refer to the [Create monitors for vectra app](#create-monitors-for-the-vectra-app). +::: + +## Log types + +This app uses Sumo Logic’s [Vectra Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/vectra-source/) to collect detections from the Vectra platform. + +### Sample log message + +```json title="Detection" +{ + "summary": { + "user_agents": [ + "Microsoft Azure CLI", + "Microsoft Azure CLI" + ], + "browser": [ + "Chrome 138.0.0", + "Chrome" + ], + "operating_system": [ + "Linux", + "Linux" + ], + "workloads": [ + "Azure Resource Manager", + "AzureActiveDirectory" + ], + "operations": [ + "UserLoggedIn" + ], + "src_ips": [ + "80.117.40.124" + ], + "description": "This account was seen using a scripting engine to access services in Azure AD which is unusual for the account. Unusual usage of scripting engines in Azure AD and Microsoft 365 can be indicative of a compromised account." + }, + "data_source": { + "type": "o365", + "connection_name": "M365-Demo", + "connection_id": "s9s9c5cj" + }, + "filtered_by_rule": false, + "src_account": { + "id": 1034, + "name": "O365:demolab.vectra.ai", + "url": "https://37373829274.cc1.portal.vectra.ai/api/v3.3/accounts/1034", + "threat": 30, + "certainty": 90, + "privilege_level": null, + "privilege_category": null + }, + "threat": 70, + "last_timestamp": "2025-08-12T18:29:21Z", + "is_targeting_key_asset": false, + "sensor_name": "Vectra X", + "filtered_by_ai": false, + "id": 3586, + "c_score": 60, + "src_ip": null, + "assigned_date": null, + "filtered_by_user": false, + "is_custom_model": false, + "assigned_to": null, + "detection_category": "lateral_movement", + "note_modified_timestamp": null, + "created_timestamp": "2025-08-12T18:53:29Z", + "note": null, + "is_marked_custom": false, + "url": "https://37373829274.cc1.portal.vectra.ai/api/v3.3/detections/3586", + "state": "active", + "detection": "Azure AD Unusual Scripting Engine Usage", + "triage_rule_id": null, + "groups": [], + "category": "lateral_movement", + "first_timestamp": "2025-08-12T18:29:21Z", + "certainty": 60, + "t_score": 70, + "tags": [], + "note_modified_by": null, + "detection_url": "https://37373829274.cc1.portal.vectra.ai/api/v3.3/detections/3586", + "description": null, + "notes": [], + "detection_type": "Azure AD Unusual Scripting Engine Usage", + "custom_detection": null, + "sensor": "s9s9c5cj", + "targets_key_asset": false, + "is_triaged": false, + "src_host": null, + "type": "account", + "grouped_details": [ + { + "workload": "Azure Resource Manager", + "user_agent": "Microsoft Azure CLI", + "operating_system": "Linux", + "browser": "Chrome 138.0.0", + "operations": [ + "UserLoggedIn" + ], + "operations_count": 1, + "src_ips": [ + "80.117.40.124" + ], + "first_timestamp": "2025-08-12T18:29:21Z", + "last_timestamp": "2025-08-12T18:29:21Z" + }, + { + "workload": "AzureActiveDirectory", + "user_agent": "Microsoft Azure CLI", + "operating_system": "Linux", + "browser": "Chrome", + "operations": [ + "UserLoggedIn" + ], + "operations_count": 1, + "src_ips": [ + "80.117.40.124" + ], + "first_timestamp": "2025-08-12T18:29:21Z", + "last_timestamp": "2025-08-12T18:29:21Z" + } + ] +} +``` + +### Sample queries + +```sql title="Total Detections" +_sourceCategory="Labs/Vectra" +| json "id","last_timestamp","first_timestamp","state","t_score","c_score","category","type","summary.operations[*]","grouped_details[*].src_ips[*]","detection_url","assigned_to","detection","certainty","src_account.id","src_account.name","src_account.url","src_account.threat","src_account.certainty" as id,last_timestamp,first_timestamp,state,t_score,c_score,category,type,operations,src_ips,detection_url,assigned_to,detection,certainty,src_account_id,src_account_name,src_account_url,src_account_threat,src_account_certainty nodrop +| if (t_score>=70,"critical",if(t_score>=41 and t_score<=69, "medium", if(t_score<=40,"low","unknown"))) as severity + +// global filters +| where isNull(state) or state matches "{{state}}" +| where isNull(category) or category matches "{{category}}" +| where isNull(severity) or severity matches "{{severity}}" +| where isNull(type) or type matches "{{type}}" +| where isNull(certainty) or certainty matches "{{certainty}}" + +// panel specific +| count by id +| count +``` + +## Collection configuration and app installation + +import CollectionConfiguration from '../../reuse/apps/collection-configuration.md'; + + + +:::important +Use the [Cloud-to-Cloud Integration for Vectra](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/vectra-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Vectra app is properly integrated and configured to collect and analyze your Vectra data. +::: + +### Create a new collector and install the app + +import AppCollectionOPtion1 from '../../reuse/apps/app-collection-option-1.md'; + + + +### Use an existing collector and install the app + +import AppCollectionOPtion2 from '../../reuse/apps/app-collection-option-2.md'; + + + +### Use an existing source and install the app + +import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md'; + + + +## Viewing the Vectra dashboards​​ + +import ViewDashboards from '../../reuse/apps/view-dashboards.md'; + + + +### Overview + +The **Vectra - Overview** dashboard offers a consolidated, real-time summary of all detected threats, enabling security teams to quickly assess the current threat landscape. It breaks down detections by severity(critical, medium, low), category, type, and resolution state, providing both counts and visual distributions. Time-based trend charts reveal spikes or patterns in threat activity, while geo-location maps identify where hosts are operating, including those in embargoed regions that may pose compliance risks. Additional panels highlight the top-impacted users, frequently targeted operations, and relevant detection sources, with direct links for in-depth investigation. This dashboard serves as the central entry point for monitoring threats, understanding scope, and prioritizing security actions.
Vectra-Overview + +### Security + +The **Vectra - Security** dashboard focuses on advanced and high-severity threats that require immediate attention. It highlights critical threat detections, command-and-control activities, and account-based privilege escalation attempts, as well as anomalies in Azure AD operations. Persistent threats are tracked with metrics on time-to-remediation, enabling teams to assess response efficiency. Each panels are designed to surface patterns that indicate targeted attacks, lateral movement, or ongoing compromise attempts. By consolidating these high-priority insights, the dashboard helps security analysts quickly isolate urgent incidents, understand attack context, and coordinate effective containment and remediation strategies.
Vectra-Security + +## Create monitors for the Vectra app + +import CreateMonitors from '../../reuse/apps/create-monitors.md'; + + + +### Vectra alerts + +| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | +|:--|:--|:--|:--| +| `Critical Threat Detections` | This alert is triggered when one or more threat detections with a threat score above 70 are identified. These detections indicate the most severe security risks and necessitate immediate investigation and remediation to prevent potential compromise or damage. | Critical | Count > 0 | + +## Upgrading/Downgrading the Vectra app (Optional) + +import AppUpdate from '../../reuse/apps/app-update.md'; + + + +## Uninstalling the Vectra app (Optional) + +import AppUninstall from '../../reuse/apps/app-uninstall.md'; + + \ No newline at end of file diff --git a/sidebars.ts b/sidebars.ts index 85f9af31ae..78b170f656 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -2605,6 +2605,7 @@ integrations: [ 'integrations/saas-cloud/tenable', 'integrations/saas-cloud/trend-micro-vision-one', 'integrations/saas-cloud/trust-login', + 'integrations/saas-cloud/vectra', 'integrations/saas-cloud/vmware-workspace-one', 'integrations/saas-cloud/webex', 'integrations/saas-cloud/workday', From 39eb29b60cc1f2bddaa73f69b5578d170dd2aec9 Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Wed, 20 Aug 2025 17:05:16 +0530 Subject: [PATCH 2/5] Update blog-service/2025-08-21-apps.md Co-authored-by: John Pipkin (Sumo Logic) --- blog-service/2025-08-21-apps.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/blog-service/2025-08-21-apps.md b/blog-service/2025-08-21-apps.md index f1b712ab32..7a01fb35b2 100644 --- a/blog-service/2025-08-21-apps.md +++ b/blog-service/2025-08-21-apps.md @@ -1,5 +1,5 @@ --- -title: Vectra(Apps) +title: Vectra (Apps) image: https://help.sumologic.com/img/reuse/rss-image.jpg keywords: - apps From aacc085c6a3c6bb37aeea1c1a69a5a3119e3b8e8 Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Wed, 20 Aug 2025 17:05:27 +0530 Subject: [PATCH 3/5] Update docs/integrations/saas-cloud/vectra.md Co-authored-by: Kim (Sumo Logic) <56411016+kimsauce@users.noreply.github.com> --- docs/integrations/saas-cloud/vectra.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/integrations/saas-cloud/vectra.md b/docs/integrations/saas-cloud/vectra.md index 2471eb8d9a..5d3d6e86e9 100644 --- a/docs/integrations/saas-cloud/vectra.md +++ b/docs/integrations/saas-cloud/vectra.md @@ -12,7 +12,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; The Vectra app offers comprehensive visibility into security threats detected across networks, cloud environments, and endpoints. It consolidates threat intelligence from multiple sources, categorizing detections by their severity, type, and behavior, while providing detailed contextual data to accelerate investigations. With interactive dashboards and targeted monitoring tools, security teams can track trends, pinpoint high-risk activities, and measure remediation effectiveness. By combining threat scoring, detection timelines, and enriched metadata, the app empowers proactive threat hunting, rapid incident response, and continuous improvement of security posture. :::info -This app includes [built-in monitors](#vectra-alerts). For details on creating custom monitors, refer to the [Create monitors for vectra app](#create-monitors-for-the-vectra-app). +This app includes [built-in monitors](#vectra-alerts). For details on creating custom monitors, refer to the [Create monitors for Vectra app](#create-monitors-for-the-vectra-app). ::: ## Log types From 62fd52b241820455f146e58d38670493c24c88ee Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Wed, 20 Aug 2025 17:08:49 +0530 Subject: [PATCH 4/5] Update blog-service/2025-08-21-apps.md --- blog-service/2025-08-21-apps.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/blog-service/2025-08-21-apps.md b/blog-service/2025-08-21-apps.md index 7a01fb35b2..7988e01118 100644 --- a/blog-service/2025-08-21-apps.md +++ b/blog-service/2025-08-21-apps.md @@ -9,4 +9,4 @@ hide_table_of_contents: true import useBaseUrl from '@docusaurus/useBaseUrl'; -We're excited to introduce the new Vectra app for Sumo Logic. This app leverages the Sumo Logic Cloud-to-Cloud [Vectra source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/vectra-source/) to collect the detections from the Netskope WebTx platform. It provides security analysts with visibility into security threats detected across networks, cloud environments, and endpoints. [Learn more](/docs/integrations/saas-cloud/vectra/). \ No newline at end of file +We're excited to introduce the new Vectra app for Sumo Logic. This app leverages the Sumo Logic Cloud-to-Cloud [Vectra source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/vectra-source/) to collect the detections from the Vectra platform. It provides security analysts with visibility into security threats detected across networks, cloud environments, and endpoints. [Learn more](/docs/integrations/saas-cloud/vectra/). \ No newline at end of file From b7495491d895030f79d1776f1a6d2faa1823aa1f Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Wed, 20 Aug 2025 17:09:17 +0530 Subject: [PATCH 5/5] Rename 2025-08-21-apps.md to 2025-08-20-apps.md --- blog-service/{2025-08-21-apps.md => 2025-08-20-apps.md} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename blog-service/{2025-08-21-apps.md => 2025-08-20-apps.md} (90%) diff --git a/blog-service/2025-08-21-apps.md b/blog-service/2025-08-20-apps.md similarity index 90% rename from blog-service/2025-08-21-apps.md rename to blog-service/2025-08-20-apps.md index 7988e01118..598be04afd 100644 --- a/blog-service/2025-08-21-apps.md +++ b/blog-service/2025-08-20-apps.md @@ -9,4 +9,4 @@ hide_table_of_contents: true import useBaseUrl from '@docusaurus/useBaseUrl'; -We're excited to introduce the new Vectra app for Sumo Logic. This app leverages the Sumo Logic Cloud-to-Cloud [Vectra source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/vectra-source/) to collect the detections from the Vectra platform. It provides security analysts with visibility into security threats detected across networks, cloud environments, and endpoints. [Learn more](/docs/integrations/saas-cloud/vectra/). \ No newline at end of file +We're excited to introduce the new Vectra app for Sumo Logic. This app leverages the Sumo Logic Cloud-to-Cloud [Vectra source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/vectra-source/) to collect the detections from the Vectra platform. It provides security analysts with visibility into security threats detected across networks, cloud environments, and endpoints. [Learn more](/docs/integrations/saas-cloud/vectra/).